WEBINAR:On-Demand

Three different organizations were recently hit by spear phishing attacks that successfully stole thousands of employees' W-2 tax information.

The Milwaukee Bucks basketball team recently acknowledged that an undisclosed number of employees' W-2s were exposed on May 16 when an employee provided the tax information in response to a request that appeared to come from the Bucks' president.

"We quickly notified impacted individuals and are arranging for these individuals to have access to three years of credit monitoring and non-expiring identity restoration services," the Bucks said in a statement. "We have reported this incident to the IRS and the FBI, and will work with the authorities to continue our investigation and response to this incident."

"We believe this incident arose as a result of human error, and are providing additional privacy training to our staff and implementing additional preventative measures," the Bucks added.

Separately, a phishing attack on May 2 compromised the tax information of 2,800 employees of California's Saint Agnes Medical Center, according to Becker's Health IT & CIO Review. All those affected are being offered a free one-year membership in Experian's ProtectMyID Elite service.

In a statement provided to the Fresno Bee, Saint Agnes president and CEO Nancy Hollingsworth pointed out that phishing attacks like these are on the rise nationwide. "It's more important than ever for individuals and businesses to seek out information and education about the issue of security so we can protect ourselves from becoming victims," she said.

And on Apri 4, the W-2 information of approximately 1,300 employees of Missouri's Rockhurst University was exposed when an employee responded to an email that appeared to come from a university administrator, the Kansas City Star reports.

"We will aggressively pursue measures to prevent a similar occurrence in the future," university president Thomas B. Curran said in a statement. "To that end, we’re working with the authorities, our insurance company, legal counsel, other institutions and experts to identify best practices for getting ahead of schemes like these that, unfortunately, continue to surface."

Cloudmark's 2016 Q1 Security Threat Report recently noted that attackers seeking W-2 information to use for tax fraud have expanded their tactics from focusing on phishing consumers in 2015 to spear phishing businesses in 2016.

"Each attack begins with a simple email, purporting to come from a superior or trusted vendor or colleague, with a straightforward request," the report states. "No malicious malware or links accompany the email, enabling it to remain undetected by many SEG solutions. Both the FBI and the IRS report that these attacks are being mounted by organized crime."

"Since Business Email Compromise attacks don't require a large amount of expertise and time to create, attackers will continue to barrage employees with impersonation emails, looking for the companies with weak training or those who lack sufficient spear phishing prevention and detection solutions," the report adds.

"These spear phishing attacks have been shown to be incredibly effective, compromising companies big and small without discrimination for the type of business targeted," Cloudmark security researcher Tom Landesman noted in a blog post. "Scammers have managed to spear phish a broad set of organizations ranging from a concrete supply company to a major computer hardware manufacturer to now a basketball team."